Group Policy settings as an extra layer of security?

Hi, I would like to *correctly* implement group policy on my computers as an added layer of huddles that hackers/malware need to jump over.

Yes, I know the principle of least privileges so I run all my owned computers (or at least the computers I have access to), with a limited accounts, rather than using admin as my daily beater. I used to run limited account for Windows XP too, until some programs and games weren't happy about it....so had to revert to and I guess stik with admin account as a beater on that.....

My security programs are Kaspersky Internet Security 2016 (KIS 2016), Malwarebytes AntiMalware, SUPERAntiSpyware, Spybot and SpywareBlaster.

This is what I have so far for my group policy settings:


Anything else I need to add or is everything looking good? Any comments at all either?

Also, I would like it so that I can also apply these settings to all my other computers fine as well, eg my other windows 7 PC, windows xp box, future windows 10 PC I guess, etc. Windows 98SE doesn't have group policies does it? :P

So I am looking for a universally fitted policy setting. ☺

Since I am uneasy coming up with my own group policy rules, I use CryptoPrevent (Foolish IT – Computer Repair Software – PC Tech Utilities – Malware Prevention). It comes in both a free and paid version options. Currently, it is running 3500+ group policies to prevent some of the issues you are concerned about.

The settings you're looking at is called software restriction policies and are an excellent way of improving security, so it allows only specific programs to run. Somewhat painful to setup, but once done it does a great job.

There is no such thing as an "universal" set of rules with software restriction policies. Basically you must apply the same minimum privilege criteria, enable only those things you know you use and disable everything else. Problem with that is that each computer has a different set of software, so each one needs different rules to get optimum security.

As for other computers, XP has the very same option, as does Windows 10. Win98 has almost no security features at all (not even user accounts), much less software restriction policies.

You may also want to explore other options in the group policy, many are very useful, not just for security.

akjudge said:

Since I am uneasy coming up with my own group policy rules, I use CryptoPrevent (Foolish IT – Computer Repair Software – PC Tech Utilities – Malware Prevention). It comes in both a free and paid version options. Currently, it is running 3500+ group policies to prevent some of the issues you are concerned about.

Ooooh... How restrictive is it? Does it still allow games and *normal* programs to run fine or do I need to configure a whitelist for that too and for each and every single one I want to run....? Because as you can see, as an example on my screen - KF2 doesn't run unless I allow *.TMP files in the temp directory....

Also, how does it compare to what I already have? What am I missing that it has that I don't have? Are they all necessary?

Is there a way for Group Policy (GP) settings to whitelist a specific program rather than me having a universal rule for it? For example, instead of a universal unblock rule for all .TMP files, I can jsut set it so that ONLY KF2 that uses .TMP files are allowed and the other programs/games (unless I find out), are not allowed? ...because malware *could* still slip through via the .TMP file.....since that's enabled by default......

Alejandro85 said:

The settings you're looking at is called software restriction policies and are an excellent way of improving security, so it allows only specific programs to run. Somewhat painful to setup, but once done it does a great job.

There is no such thing as an "universal" set of rules with software restriction policies. Basically you must apply the same minimum privilege criteria, enable only those things you know you use and disable everything else. Problem with that is that each computer has a different set of software, so each one needs different rules to get optimum security.

As for other computers, XP has the very same option, as does Windows 10. Win98 has almost no security features at all (not even user accounts), much less software restriction policies.

You may also want to explore other options in the group policy, many are very useful, not just for security.

Ahh I see....what are you minimum privilege criteria? Do you even use GP as an added layer? What do you think of my current setup? Any comments?

Ah, I can just copy what I have over to the other computers then! Because I basically do the same thing to them as I do to this one; play games, web browse, install stuff, watch stuff....move stuff around.....configure things....

Ok, so how would one keep a windows 98 machine safe on the internet....? Not that I still have one connected, just curious, that's all.....

Well you know, seeing how it's old and doubtful that hackers would be targeting such an old operating system......so you would figure it would be safe right? Just like running windows 3.1 or even DOS! Actually, did the internet exist when MS-DOS was around?

Ok so what are you suggestions then, as I've not used any of the other settings....?